[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap user login

To: openldap-technical@openldap.org
Subject: Re: openldap user login
From: Jayavant Patil <jayavant.patil82@gmail.com>
Date: Wed, 7 Dec 2011 15:31:14 +0530
Cc: Raffael Sahli <public@raffaelsahli.com>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Pfq91iktHV05MSTP2BMnkvUO/HnL1jxgEG4EdyV67jc=; b=bGtgxK3tC1Pe/hUtdIOa1v+4p16cew1shCn9UXUo8ImcZFak2PxUPSHxFQOZQbxSUq 8mZ19HcsExZMVLjYDuxO8KeYp1ZrrZ9w+5SRGYVVedriSCvJMLFdMYlEbrjSecH35FpP 2dOu7R1DQMsf1FzV5rpmF/6JdWjK9D2SuzZCQ=
In-reply-to: <CAPDKCffQK03ukppnicS1qx=rsYR0GG3_z00gy8uU8qTqpHwvaw@mail.gmail.com>
References: <CAPDKCffQK03ukppnicS1qx=rsYR0GG3_z00gy8uU8qTqpHwvaw@mail.gmail.com>

Hi,

Mon, 05 Dec 2011 13:17:33 +0100 "Raffael Sahli" <public@raffaelsahli.com> wrote:
>Hi

>This means that pam_ldap is working but nss_ldap isn't (Restart the nscd
>damon, if installed..).
>Check your auth log on your fedora. You should see some lib_nss log
>messages.

Everything is working fine but the problem is with the ACL rule which is used to restrict a user to see his information only.

access to filter=(objectClass=person)
by self write
by dn.children="ou=People,dc=abc,dc=com" none
by anonymous none
by * none

the problem is with 'by anonymous none'. Here, it will restrict access as per desired (means each user to see his info only) but when i do $ssh ldap_6@<client-node>, it will ask passwd and will show the following:

id: cannot find name for user ID 514
[ I have no name!@<client-node>]

On the other way, when I specify 'by anonymous read' in the above ACL rule and do $ssh ldap_6@<client-node> , it works.

[ldap_6@<client-node>]

but ldap_6 user can see other users info since anonymous can read everything which is not desirable.

So, my problem is I want to specify the ACL rule such that each user can see its own data only and at the same time I should not get ' I have no name!' after ssh.

How do I write the ACL rule to achieve this?

Any suggestions are welcome.

>On 12/05/2011 11:48 AM, Jayavant Patil wrote:
>> Hi,
>>
>> I am using openldap-2.4.19-4 on fedora 12 machine. In order to
>> protect roobindpw, I removed that from /etc/ldap.conf and written it
>> in /etc/ldap.secret with root access only. Now, /etc/ldap.conf file
>> (with permissions 644) contents w.r.t. bind are as follows:
>>
>> # The distinguished name to bind to the server with.
>> # Optional: default is to bind anonymously.
>> #binddn cn=root,dc=abc,dc=com
>>
>> # The credentials to bind with.
>> # Optional: default is no credential.
>> #bindpw cluster
>>
>> # The distinguished name to bind to the server with
>> # if the effective user ID is root. Password is
>> # stored in /etc/ldap.secret (mode 600)
>> rootbinddn cn=root,dc=abc,dc=com
>>
>> but now when I do $ssh ldap_6@client-node-name, I get the following
>> message:
>>
>> id: cannot find name for user ID 514
>> id: cannot find name for user ID 514
>> [I have no name!@client-node-name ~]$
>>
>> when i do $id on client node I get the followng:
>>
>> uid=514 gid=514(ldap_6) groups=514(ldap_6)
>>
>>
>> Any idea what could be the problem?
>>
>>
>>
>>
>>
>> --
>>
>> Thanks & Regards,
>> Jayavant Ningoji Patil
>> Engineer: System Software
>> Computational Research Laboratories Ltd.
>> Pune-411 004.
>> Maharashtra, India.
>> +91 9923536030.
>>

--

Thanks & Regards,
Jayavant Ningoji Patil
Engineer: System Software
Computational Research Laboratories Ltd.
Pune-411 004.
Maharashtra, India.
+91 9923536030.

Follow-Ups:
- Re: openldap user login
  - From: fuzzy_4711 <fuzzy_4711@gmx.de>

References:
- openldap user login
  - From: Jayavant Patil <jayavant.patil82@gmail.com>

Prev by Date: Re: openldap with Ipv6 link local ip?
Next by Date: Re: openldap user login
Index(es):
- Chronological
- Thread